Despite its computer systems being infected with malware since Monday, MedStar Health, which operates 10 hospitals and more than 250 outpatient facilities in and around Washington, D.C., has continued to provide patient care at near normal levels, according to several updates released this week.
Since the malware attack occurred, MedStar Health has treated an average of 3,380 patients a day at its 10 facilities, it announced Thursday. It has treated nearly 4,000 patients in its ERs and performed more than 1,000 surgeries.
Neither MedStar nor the FBI, which is investigating the incident, will say if ransomware was used in the attack.
However, perpetrators of the attack have asked for 45 bitcoins — about US$18,500 — to unlock all of the healthcare provider’s infected systems, The Baltimore Sun reported.
The ransom note appeared on the screens of all computers on the MedStar network when users tried to access any files on the system, according to the paper.
MedStar did not respond to our request to comment for this story.
Hacker’s Playbook
A cyberattack on Hollywood Presbyterian Hospital earlier this year set the game plan for hackers targeting healthcare providers.
“They know the playbook they have to run to take advantage of these situations,” said Chris Ensey, COO of Dunbar Security Solutions.
“They received $17,000 for the Hollywood hack,” he told TechNewsWorld. “That set the market rate.”
Healthcare systems in particular are susceptible to cyberattacks because of the way they share information.
“They have to share information quickly and with a lot of different constituents that are part of the caregiving process,” Ensey said. “That requires lots of different openings to be poked open in your firewalls so the attack surface is broader.”
What’s more, there are many medical devices with network connections and software that hasn’t been updated or maintained, he continued.
“There are lots of soft points that a hacker can take advantage of in that infrastructure,” Ensey said.
Lack of Commitment
Despite years of FBI cyberthreat warnings, healthcare providers have been tightfisted when it comes to security spending.
“Healthcare has not made a significant investment in information security technology,” said David Holtzman, vice president of compliance at CynergisTek.
“Over the past several years, we have seen healthcare organizations devoting only 3 percent of their IT budgets to information security, and only a little over half of them have a dedicated resource focused on information security,” he told TechNewsWorld.
“These are strong indicators of the lack of commitment across the healthcare sector for putting appropriate weight and resources to safeguarding health information across the enterprise,” Holtzman said.
Every year security is underfunded is a year healthcare systems become more susceptible to attack.
“I think we are seeing the effect of that now in cases like MedStar,” Bugcrowd VP of Operations Jonathan Cran told TechNewsWorld.
The healthcare industry is not equipped to handle these attacks, observed Linn F. Freedman, a partner with the law firm of Robinson+Cole.
“These attacks are malicious,” she told TechNewsWorld. “They are debilitating, and healthcare entities do not have the resources to be able to combat these highly sophisticated cyberintrusions.”
Damage Control
Even when MedStar gets its systems back online, it will be difficult to ascertain exactly what happened to them and if they remain at risk.
“What you have to do is shut down your network and painstakingly gather all the evidence,” explained Karthik Krishnan, vice president of product management at Niara.
“That’s an extremely hard thing to do for most companies,” he told TechNewsWorld. “The down time could be weeks. That’s unacceptable.”
Since MedStar’s service levels don’t seem to be severely impacted by the malware on its systems, it may be able to ignore its attackers’ ransom demands.
“Every situation is different with respect to whether an entity should pay a ransom,” Robinson+Cole’s Freedman said. “Hollywood Presbyterian made that decision because they needed to get their [electronic medical records] up and running. In the MedStar case, the EMR wasn’t affected.”
Taking a hard line against extortionists has its merits, but the decision is rarely uncomplicated.
“In the financial sector, our stance was never pay the ransom because we didn’t want to encourage the attackers,” said Sean Tierney, director of cyber intelligence for Infoblox.
However, “if you aren’t equipped to defend against the problem,” he told TechNewsWorld, “then you have to consider paying the ransom — but it should always be your very last resort.”